Apple’s macOS Security Bounty Cuts: Mixed Signals on Mac Protection

For years Apple has sold the Mac as the computer for people who care about privacy and security. Strong default protections, tight control over the platform and regular security updates are all part of that pitch.

That is why the company’s latest move around its Security Bounty program for macOS is raising eyebrows: just weeks after proudly increasing payouts, Apple has quietly cut some of the most important Mac-related rewards to a fraction of their former value, right as Mac-focused attacks are becoming more common.

To understand why this matters, it is worth remembering what a bug bounty is. Instead of relying only on internal teams, companies pay independent security researchers when they responsibly disclose serious vulnerabilities. It is a way to align incentives: if a researcher can earn a fair payout by reporting a flaw to Apple, they are less likely to sell it on the gray market or sit on it. For high-impact bugs that could expose millions of users, the amounts can be significant.

Earlier this year it looked like Apple was finally catching up with the industry’s leading bug bounty programs. Payouts were raised, rules clarified and the company publicly highlighted its investment in security research. That is why a recent update to the macOS section of the Security Bounty page shocked many specialists. macOS security researcher Csaba Fitzl from Iru combed through Apple’s revised tables and posted his findings on LinkedIn, calling out just how aggressively some Mac categories have been trimmed.

The most dramatic change concerns full Transparency, Consent and Control (TCC) bypasses. TCC is the layer that asks for your permission before an app accesses your Photos, Calendar, microphone, camera or other sensitive data. A true bypass means a malicious app can silently slip past those prompts and rifle through your private life. Previously, Apple valued such a finding at up to $30,500. Under the new scheme, the top reward for a full TCC bypass on macOS is just $5,000 – an eye-watering cut of roughly 83 percent.

Another crucial class of macOS bugs is the sandbox escape. Modern apps are usually confined to a sandbox, a restricted environment designed to keep even a compromised app from touching the wider system. A sandbox escape lets an attacker jump that fence and run more powerful code. Apple once offered around $10,000 for such issues on macOS; the updated bounty table drops that to $5,000, effectively halving the payout for a vulnerability that often serves as a key link in a full compromise chain.

Then there is the more subtle category of vulnerabilities that grant access to data protected by TCC, such as photos or documents, without using the TCC Target Flag. These weaknesses still pierce Apple’s privacy shield, but are now capped at just $1,000. For independent researchers who may spend weeks or months analyzing obscure macOS internals, that figure can feel more like a token gesture than a serious reward for work that directly helps protect everyday Mac users.

None of this is happening in a vacuum. Mac malware has evolved from a rarity into a profitable niche for cybercriminals, with adware, stealers and targeted spyware all appearing in the wild. As more people buy Macs for both personal and professional use, the platform becomes a more attractive target. That reality makes it even harder for researchers to understand why Apple would choose this moment to dial back the incentives for finding and reporting critical macOS flaws.

The cuts also sit awkwardly next to Apple’s own marketing around security. In recent years the company has rolled out a dedicated Lockdown Mode for high-risk users, which aggressively reduces the attack surface by limiting attachments, link previews and some web technologies. Safari’s security architecture has been overhauled to confine web content more strictly. At the hardware level, features such as Memory Integrity Enforcement on chips like the A19 family are designed to make memory corruption exploits significantly harder. All of these defenses are important – but they become truly effective only when researchers are motivated to probe them and highlight where they fail.

Critics argue that by devaluing serious Mac bugs, Apple sends the wrong signal to the very people who help keep its ecosystem safe. A researcher who discovers a complex TCC bypass now has to weigh whether $5,000 from Apple is worth more than alternative options, including private sales that may never see the vulnerability fixed. The lower the official bounty, the more tempting those alternatives become, especially for people working in regions where such payouts are a primary source of income.

Apple has not publicly explained the reasoning behind the new bounty tiers. Perhaps the company believes its macOS defenses have matured and that truly high-impact bugs are now rarer, or wants to standardize rewards across platforms. From the outside, though, the move looks less like optimization and more like cost cutting, and it jars with an era in which rival tech giants are increasing their own top payments and actively courting security researchers.

For everyday Mac owners, these changes will not trigger an immediate catastrophe. Your computer will not suddenly become insecure overnight. But bug bounty programs are a long-term investment in the health of a platform. If fewer researchers decide that macOS is worth their time, undiscovered vulnerabilities may linger longer, and sophisticated attackers will quietly take advantage. The question is not whether Apple hates Macs, but whether it values the work that keeps them safe as highly as it claims. Right now, many in the security community feel that the new bounty figures tell a very different story from Apple’s glossy marketing slides.